NPcap does not see interfaces/adapters after installation on Windows Server 2012 until reboot.

[asidorenko]

NPcap does not see interfaces/adapters after installation on Windows Server 2012 until reboot. For the same use case work perfectly OK on Windows Server 2016/Windows 10. I have tried to stop/start NPcap driver using sc stop/start npcap - it doesn't help. I need some workaround of this problem (from C++ code or command line).

[dmiller-nmap]

Duplicate of nmap/nmap#664. This is something we would like to fix in the future.

[asidorenko]

Strongly disagree. It is not a duplicate of nmap/nmap#664. Restarting NPcap does not fix this problem. I have implemented workaround for nmap/nmap#664 by restarting NPcap driver and my fix works.

[perseity]

I also think this not a duplicate of #664. This issue is not about adding new interface to already existing npcap installation, but installing npcap to already existing interfaces.

I had similar issue on Windows 2012 (it seems to be limited only to 2012). The only thing that helped beside system reboot was reseting the particular interface or just "NPFInstall.exe -r".

Can you reopen this case?

[pawel-kedzior-sw]

I am able to reproduce the issue. The problem reproduces easily on Windows Server 2012 R1. The problem is not reproducible on Windows Server 2012 R2 and other major Windows versions.

The repro steps which I used are:

1. On a clean Windows Server 2012 R1 machine, download: https://nmap.org/dist/nmap-7.60-setup.exe
2. Install
3. Run nping -tcp -p 80 google.com Expected Result: ping information Actual Result: error which indicates lack of interfaces provided by npcap.

The problem can be worked-around by either:

• Running C:\Program Files\Npcap\NPFInstall.exe -r
• Or rebooting the machine.

[dmiller-nmap]

Thanks everyone for reporting this. We definitely made a mistake in closing this issue. In order to better debug this issue, I need the output from:

1. DiagReport run immediately after installation, while Npcap has the problem
2. \Program Files\Npcap\NPFInstall.log after running NPFInstall.exe -r. This will also include the log of the initial install, so no need to collect that separately.

Running NPFInstall.exe -r disables and re-enables the binding of the Npcap driver to the adapter, which is a different process from restarting the driver itself. There should not be a problem running this on a production system as a workaround, but do note that if you installed with raw 802.11 WiFi capture, you should run NPFInstall.exe -r2 instead so that the WiFi bindings are re-enabled, too.

[pawel-kedzior-sw]

Attaching NPFInstall.log after installing and running NPFInstall.exe -r NPFInstall.log

[pawel-kedzior-sw]

Attaching DiagReport collected after installing (before running NPFInstall.exe -r or rebooting the machine): DiagReport-20180202-041948.txt

[dmiller-nmap]

@zuraff Thanks, this is helpful.

Do you or anyone know if any previous Npcap release did not have this problem?

[pawel-kedzior-sw]

@dmiller-nmap I checked some of the recent versions of NMap, looks that the problem is ever since Npcap replaced WinPcap. Details, referring to versions of NMap: 7.60 - reproduces 7.40 - reproduces 7.30 - running into a different problem ("WARNING: Could not import all necessary Npcap functions...") 7.25 Beta2: same as 7.30 7.25 Beta1: reproduces 7.12 - does not reproduce (uses WinPcap).

[dmiller-nmap]

I see one discrepancy that I would like to investigate if you can give me a little more information:

1. Did you select "Support raw 802.11 traffic (and monitor mode) for wireless adapters" at install? 1a. If you did, does the problem go away if you install without this option? 1b. If you did not, does running NPFInstall.exe -u2 followed by NPFInstall.exe -i fix the broken installation?
2. Can you provide the install.log file from the Npcap installation directory as well? This may explain why your DiagReport shows no raw-wifi support, but the NPFInstall.log shows that it tried to install raw-wifi support.

To be clear, I would appreciate all of this debug info from anyone who is experiencing this problem, not only @zuraff .

[pawel-kedzior-sw]

1. I did not select "Support raw 802.11 traffic (and monitor mode) for wireless adapters". install.log

2. Running NPFInstall.exe -u2 followed by NPFInstall.exe -i does not fix the broken installation

c:\Program Files\Npcap>nping -tcp -p 80 github.com

Starting Nping 0.7.60 ( https://nmap.org/nping ) at 2018-02-02 04:23 Pacific Sta
ndard Time
libnsock nsock_pcap_try_open(): pcap_open_live(eth0, 8192, 0, 1) failed with err
or: eth0: Error opening adapter: The system cannot find the device specified. (2
0)
libnsock nsock_pcap_open(): Will wait 4 seconds then retry.
^C

c:\Program Files\Npcap>NPFInstall.exe -u2
Npcap LWF driver (with Wi-Fi support) has failed to be uninstalled.

c:\Program Files\Npcap>NPFInstall.exe -i
Npcap LWF driver has been successfully installed!

c:\Program Files\Npcap>nping -tcp -p 80 github.com
Starting Nping 0.7.60 ( https://nmap.org/nping ) at 2018-02-02 04:25 Pacific Sta
ndard Time
libnsock nsock_pcap_try_open(): pcap_open_live(eth0, 8192, 0, 1) failed with err
or: eth0: Error opening adapter: The system cannot find the device specified. (2
0)
libnsock nsock_pcap_open(): Will wait 4 seconds then retry.
^C

[dmiller-nmap]

Ok, we have a diagnosis. This was something that actually came up back in 2013 during early Npcap development. There is a bug in Windows 8 and Server 2012 such that a NDIS filter driver with a StartType of 3 (SERVICE_DEMAND_START) will not have its FilterAttach method called except at system boot. The [workaround at that time(http://seclists.org/nmap-dev/2013/q3/503) was to change Npcap's StartType to 1 (SERVICE_SYSTEM_START), but this caused problems and was reverted.

As a fix, future installers will run NPFInstall.exe -r to rebind the filter driver to all adapters, but only on Windows 8 or Server 2012. We will close this issue when the next release is out and verified.

[dmiller-nmap]

This issue is fixed in Npcap 0.99-r6.